On Mon, Sep 16, 2002 at 02:11:31PM -0400, Stephen Frost wrote:
> * Javier Fern?ndez-Sanguino Pe?a (jfs@dat.etsit.upm.es) wrote:
> > (the 'named' user gets created)
> > 2.- user configures the name server and sets the zone information in
> > common dir, for example /var/named/
>
> Now hang on a second here. You think the master zone files are going to
> be owned by the named user? That's a bad assumption to begin with, they
> should be owned by root (as they are on my system...). So, really, all
> we're talking about here are cache files which should be recreated when
> you update anyway. I should have realized the folly of the original
> proposal earlier.
No, no folly. Please think a moment. What permissions are you
suggestion for master zone files? 644 with root:root? That's plain wrong,
I don't want my master zone files to be accesible by any other process
than the name server. That's sensible information, you do disable zone
transfers don't you?
That means that the only sensible permissions for master zone files are
640 root:named, or, if you do want the named server to modify them 640
named:named.
Do you agree with me here?
> As for some directory where the master zone files are stored... There's
> stuff in the debian developer's manual on how to handle that kind of
> situation, as I recall. The directory and files should be owned by
> root though, not named.
>
Wrong again, I don't want normal users accessing my name server
files, or any rogue process for that matter (apache-ssl, hint, hint). If
we are not going to provide chrooted environments for *all* open services
I want configuration files isolated from one another and protected from
local users.
Regards
Javi